SSL Configuaraion with Oracle Weblogic Server 11g

Hey Smart WLA!! here I am again for sharing my neew experiment on SSL Configuration on Oracle WebLogic 11g. Initially I thought of sharing in step-by-step sequance for the experiment.


***********************************************************************************
Step1: Create a new WLS domain ***********************************************************************************
(If you already have a domain , Not required to create it ...Just enable the SSL port in WebLogic Admin console)
run config.cmd script
MW_HOME=\Oracle\MiddlewareMW_HOME\wlserver_10.3\common\bin\config.cmd
or config.sh in Solaris box
create a new weblogic configuration
select next...
select OracleWebLogic Server Domain
select next...
Select Express Installation
select next...
username/password = weblogic/weblogic10
select next...
select default development mode/Sun SDK 160_11
select next...
select the configuration name=domain name = ssldomain
click create
in my case - my domain is created under : \Oracle\Middleware\user_projects\domains\ssldomain
This domain is created with only http listen port(7001) enabled. .Now, enable the SSL listen port as below:
go to Servers --> myserver --> general tabselect the "SSL Listen Port Enabled"
By default this will listen on port 7002 using default weblogic demo certificates.
click on apply. At this point - WLS is configured for one way SSL using default demo certificates.
Restart the server.

***********************************************************************************
Step 2: Getting our own Certificate and setup SSL on Weblogic
***********************************************************************************
As of now, Our server is using default private key/default public key(certificate) and default trust.
Now, steps to use your own certificate and setup SSL on Weblogic is as follows:
1. get your own private key/certificate/trust for your certificate
2. create identity keystore (which will have your private key + certificate)
and create trust keystore (which will have trust cert for your own digital cert)
3. Use the identity and trust keystore created in step 2
and configure WebLogic to replace demo keystores with your own keystores.
Now, details for step 1:
create private key using keytool command
- --go to your domain dir and run setENV.cmd or setEnv.sh script
---now run the following keytool command to create private key
(use your own name and rest you can keep the same)
C:\Oracle\Middleware\user_projects\domains\ssldomain> keytool -genkey -keyalg RSA -alias mykey -keystore panikeystore.jks
Enter keystore password: weblogic10
Re-enter new password: weblogic10
What is your first and last name? [Unknown]: Sarangapani
What is the name of your organizational unit? [Unknown]: support
What is the name of your organization? [Unknown]: MyCompany
What is the name of your City or Locality? [Unknown]: Hyderabad
What is the name of your State or Province? [Unknown]: AP
What is the two-letter country code for this unit? [Unknown]: IN
Is CN=Sarangapani, OU=support, O=MyCompany, L=Hyderabad, ST=AP, C=IN correct? [no]: yes


Enter key password for (RETURN if same as keystore password): weblogic10
Re-enter new password: weblogic10
As a result you obtain a file: panikeystore.jks (in the same dir),
containing a private key, and a self-signed public key
-------------------------------------------------------------
Now, its time to send your public key for getting it signed by trusted authority (we will send it to verisign)
This is done by retrieving the CSR (Cert Signature Request) from panikeystore.jks and sending it to one of the Certificate Authorities like VeriSign.

Run the following command to get CSR:
C:\Oracle\Middleware\user_projects\domains\ssldomain>keytool -certreq -keystore panikeystore.jksEnter keystore password: weblogic10
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBqzCCARQCAQAwazELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJ
QmFuZ2Fsb3JlMQwwCgYDVQQKEwNCRUExEDAOBgNVBAsTB1N1cHBvcnQxFDASBgNVBAMTC1JhbWFr
cmlzaG5hMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxB2BdG1iBsIJvK3x2lcnn7GclEShT
ib5sbiHa7h1DBqMZZc1lezGI55Nz1YSUZukgj7aZj9N4K7haV93LoD4pNREpLcp7DGxNODNclp5F
DHTevqWx0rXqjwei5Euh2f5ACSFo3tL5o5QXkS3o4TeZ2QSypAyeu/+qtnk7Od/xGQIDAQABoAAw
DQYJKoZIhvcNAQEEBQADgYEAXOYBI9LJPBVA+OyK/4od6ORkJnew/K7WWMjeLwZjwKI7INCHw4VG
dG0v7z2JnSpgi43fipWyywt5fmXZqfKNtki5SNxV3kLHAWxardgZbZ8H/kO95CtbOcFtagPLH8pi
+rp2iGFSlH6+UYtW1qXL3FM0srIxam6RgYqCixf5gGQ=
-----END NEW CERTIFICATE REQUEST-----
C:\Oracle\Middleware\user_projects\domains\ssldomain>
===============================================================
We need to copy and paste all this (including -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----) to the Certification Authority.
open a notepad and copy it there.

Now we will go to verisign site to get this signed.

Go to
https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=0110&toc=w63780188130110000&ra=65.205.251.51&email=

Enter your information and follow the instructions to submit the CSR

First Name: Sarangapani
Last Name: M
e-mail: your email@MyCompany.com
ompany: MyCompany
phone: 1234567890
state: Outside the US or Canada
Zip: 500081
Country: India
select "research only"
select "no budget"
select "research only"
click "Submit" button.
click the "Continue" button
again, click the "Continue" button
====================================
Technical details:
enter you details.................................
E-mail - your email. specify company email id. (eg. your email@MyCompany.com)====================================
select server platform = "all others" and paste your CSR
if it ask for password/chalenge phrase = weblogic10
====================================
once done, verisign will send you your digital cert in an email.
when you receive your email goto step3.
************************************************************************************
Step 3: Creating RootCA certification files(testrootca.cer) and PEM content of public key file(mycert.pem)
************************************************************************************
Verisign will then send you an email with the PEM content of the public key.

Scroll at the end of the email and Save it under a file name mycert.pem.

It also contains a link to get a root CA cert for your certificate i.e. a link to download
the Test CA Root.
follow the link to download Test CA Root - getcacert.cer.
save it under your domain dir.

This file is in binary format.
Lets convert this in txt format.
double click on this file.

click on details tab page --> copy to file (at the bottom) --> base 64 encoded x.509 format --> save as testrootca.cer under your domain dir.

now you have
your cert - mycert.pem
test ca cert - testrootca.cer

now open a textpad editor and merge testrootca.cer in your mycert.pem

so at the end -you will have
your cert - mycert.pem (which will have a chain i.e. your cert + test ca root)
test ca cert - testrootca.cer

**********************************************************************************
Step 4: Creating Identity key Store and Trust Key Store
**********************************************************************************
Import the public key into your identity keystore. It will go on the same alias as the private key:
C:\Oracle\Middleware\user_projects\domains\ssldomain>keytool -import -alias mykey -file mycert.pem -keystore panikeystore.jks
Enter keystore password: weblogic10


Top-level certificate in reply:


Owner: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"Serial number: 52a9f424da674c9daf4f537852abef6eValid from: Sun Jun 07 05:30:00 IST 1998 until: Wed Jun 07 05:29:59 IST 2006Certificate fingerprints: MD5: 40:06:53:11:FD:B3:3E:88:0A:6F:7D:D1:4E:22:91:87 SHA1: 93:71:C9:EE:57:09:92:5D:0A:8E:FA:02:0B:E2:F5:E6:98:6C:60:DE
... is not trusted. Install reply anyway? [no]: yes
Certificate reply was installed in keystore

C:\Oracle\Middleware\user_projects\domains\ssldomain>
===========================================================
Lets create the trust keystore:
C:\Oracle\Middleware\user_projects\domains\ssldomain>keytool -alias mytkey -trustcacerts -import -file getcacert.cer -keystore panitruststore.jks -storepass weblogic10

Owner: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"Serial number: 52a9f424da674c9daf4f537852abef6eValid from: Sun Jun 07 05:30:00 IST 1998 until: Wed Jun 07 05:29:59 IST 2006Certificate fingerprints: MD5: 40:06:53:11:FD:B3:3E:88:0A:6F:7D:D1:4E:22:91:87 SHA1: 93:71:C9:EE:57:09:92:5D:0A:8E:FA:02:0B:E2:F5:E6:98:6C:60:DE
Trust this certificate? [no]: yes
Certificate was added to keystore

C:\Oracle\Middleware\user_projects\domains\ssldomain>
===========================================================
the above command will create panitruststore.jks i.e., our trust keystore.

so at this time - we have
1. identity keystore = panikeystore.jks
2. trust keystore = panitruststore.jks
cheers.. you are almost done.
now just need to configure wls to use the above keystores instead of default demoidentity
and default demo trust keystore.

**********************************************************************************************Step5: Step 5: Configuring Keystores and SSL in Weblogic11g console
**********************************************************************************************so Finally, we all done in creating our own custom Identity keystore which contains our private key + our certificate signed by VeriSign.
and Our own custom trust keystore which contains test root CA.

now lets setup SSL on your server using your custom keystores.

Our server is currently using default demo cert.

Setup SSL in the admin server console under "Keystores & SSL" Tab Page.
Click on "change" and then select "Custom Identity and Custom Trust" from the drop down menu. click continue.
Then specify the full path for Identity(panikeystore.jks) and Trust Keystore(panitruststore.jks). Specify the passwords for both the stores. click continue.
Now specify the password and alias for private key. apply the changes
and you will need to restart the server.

The above steps will configure SSL. WLS will use the private/public key (certificate) from our Identity keystore and the trust certificate from the trust keystore.

Restart the server and test it.
go to https://localhost:7002/console
it will warn you as this is a test cert.
you are done setting up one way SSL with your own custom keystores.

Cheers,
Your Pani the WLA

Sun One WebServer7 Proxy for Weblogic 11g

Installation Steps

I am going to install sun webserver on Solaris operating environment. Every operating environment will have different supporting installation bundles will be available for download. Download the sjsws-7_0-solaris-sparc[1].tar from sun and Extract it into one folder (Ex: sun)

Step2: Go to sun folder and execute the following command


$HOME/sun$ ./setup --console
You are running the installation program for Sun Java System Web Server 7.0.You will be asked to specify preferences that determine how Sun Java System WebServer 7.0 is installed and configured.

Are you sure? [yes]
To accept the default, press Enter.
To provide a different answer, type the information at the command prompt and
then press Enter.
Welcome to the Sun Java System Web Server 7.0 Installation Program

Sun Microsystems, Inc. ("Sun") SOFTWARE LICENSE AGREEMENT ("SLA") andENTITLEMENT for SOFTWARE
<--[28%]--[ENTER To Continue]--[n To Finish]-->
<--[57%]--[ENTER To Continue]--[n To Finish]-->
<--[86%]--[ENTER To Continue]--[n To Finish]-->
Have you read the Software License Agreement and do you accept all terms [no] {"<" goes back, "!" exits}? Yes
Sun Java System Web Server 7.0 Installation Directory [/sun/webserver7] {"<" goes back, "!" exits}: $HOME/sun/webserver7/
Specified directory $HOME/sun/webserver7
does not exist Create Directory? [Yes/No] [yes] {"<" goes back, "!" exits} Yes
Select the Type of Installation
1. Express
2. Custom
3. Exit
What would you like to do [1] {"<" goes back, "!" exits}? 2
Component Selection
1. Server Core
2. Server Core 64-bit Binaries
3. Administration Command Line Interface
4. Sample Application
5. Language Pack
Enter the comma-separated list [1,2,3,4,5] {"<" goes back, "!" exits}: 1,3
Based on component dependencies for your selection...
The following components will be installed:
Server Core


Administration Command Line Interface


Java Configuration
Sun Java System Web Server 7.0 requires Java Standard Edition. Provide the path to a Java Standard Edition 1.5.0_09 or greater.
1. Install Java Standard Edition 1.5.0_09
2. Reuse existing Java SE 1.5.0_09 or greater
3. Exit
What would you like to do [1] {"<" goes back, "!" exits}? 2
Enter the path to an existing, compatible Java Standard Edition installation. [] {"<" goes back, "!" exits} $HOME/Oracle/Middleware/jdk160_11
Administration Options
1. Create an Administration Server and a Web Server Instance
2. Create an Administration Node
Enter your option [1] {"<" goes back, "!" exits} 1
This panel collects some required information for creating an administrationserver. Host Name [$HostName] {"<" goes back, "!" exits} $HostName
SSL Port [8989] {"<" goes back, "!" exits} <
Administration Options
1. Create an Administration Server and a Web Server Instance
2. Create an Administration Node
Enter your option [1] {"<" goes back, "!" exits} 1
This panel collects some required information for creating an administrationserver. Host Name [$HostName] {"<" goes back, "!" exits} $HostName
SSL Port [8989] {"<" goes back, "!" exits} 9898
Create a non-SSL Port [yes/no] [no] {"<" goes back, "!" exits}:
Administrator User Name [admin] {"<" goes back, "!" exits}
Administrator Password: Retype Password:
A web server instance is created as part of the installation. This panel letsyou customize some of the server settings.
Server Name [$HostName] {"<" goes back, "!" exits} sunonepani
HTTP Port [8080] {"<" goes back, "!" exits} 8686
Document Root Directory [$HOME/sun/webserver7/https-sunonepani/docs] {"<" goes back, "!" exits}
Product : Sun Java System Web Server
Location : $HOME/sun/webserver7
Disk Space : 115.43 MB------------------------------------------------------ Server CoreAdministration Command Line Interface Ready to Install
1. Install Now
2. Start Over
3. Exit
Installation What would you like to do [1] {"<" goes back, "!" exits}? 1 Installing Sun Java System Web Server-1%--------------25%-----------------50%-----------------75%--------------100%Installation Successful.
Next Steps:
1. Start the Administration Server by executing: $HOME/sun/webserver7/admin-server/bin/startserv
2. You can access the Web Admin Server by accessing the following
URL:https://$hostname:9898/
3. Refer to the installation log file at$HOME/sun/webserver7/setup/Sun_Java_System_Web_Server_install.logfor more details.

WebServer Proxy Configuration
Step 3: Copy the proxy plugin (ex:libproxy_61.so)
from $MW_HOME/weblogic10_3/server/plugins/solaris/sparc/ to sun/webserver7/http-instancename/config/
Step 4: Add the following lines in obj.conf file
$HOME/sun/webserver7/https-sunonepani/config]$ vi obj.conf
Open a Object tag and keep it as below under <>
name="weblogic" ppath="*/weblogic/*"
Under Object tag body means before closing the object tag , we need to keep as below ...
Service fn=wl_proxy WebLogicHost=Myhostserver WebLogicPort=8992 PathTrim="/weblogic"
then Close the Object tag

Step 5: Add the following lines in magnus.conf file
$HOME/sun/webserver7/https-sunonepani/config]$ vi magnus.conf
Init fn="load-modules"funcs="wl_proxy,wl_init"shlib="libproxy_61.so" Init fn="wl_init"


Step 6: start the weblogic instance which is under wl_domain
$HOME/$WL_DOMAIN/bin]$ startWebLogic.sh


Step 7: start the sun one admin server instance
$HOME/sun/webserver7/admin-server/bin]$ startserv


Step 8: start the sun one webserver instance
$HOME/sun/webserver7/https-sunonepani/bin]$ startserv


Good References for WL domain creation
Dynamic Domain creation

Apache Installation & Configuaration

Here we were experimenting with Apache Webserver Installation and Configuaration plug-in with the weblogic server

Installation made simple Steps which you can follow them

Step1: Download the any stable version of httpd for your operating environemnt (Now I am intersted in Solaris) suitable binaries given as tar/zip file (Ex: httpd-2.2.11.tar) and Extract it

tar -xvf httpd-2.2.11.tar

Step2: Go to httpd-2.2.11 directory and execute the confiure command to configure the apache in one folder (Ex: apache2)

cd httpd-2.2.11
./configure --prefix=$Home/apache2

Step3: We need to execute the below commands to build I mean compile the binaries

make
make install

Step4: take the backup of httpd.conf file

cd apache2/conf
cp httpd.conf httpd.conf_original

Step5: Edit the httpd.conf configuration file

vi httpd.conf
ServerRoot "$Home/apache2"
(ServerRoot is the path to the server's configuration, error and log files.It is possible to change this path, provided all the necessary files are copiedto the new location accordingly)
Listen IPAddress:Port (Ex: Listen 4.192.50.25:9999)
LoadModule weblogic_module modules/mod_wl_22.so
User wlusername
#main content of wl application details to update in httpd.conf file
Open tag of IfModule
#keep the info in open tag of IfModule ---mod_weblogic.c
WebLogicCluster hostname:9902,hostnamevir1:9902
MatchExpression *.jsp
close tag of IfModule
Open tag of Location
#keep /application root folder name in Lacation
SetHandler weblogic-handler
DynamicServerList ON
HungServerRecoverSecs 600
ConnectTimeoutSecs 40
WLCookieName JSESSIONID
DebugConfigInfo OFF
Debug ON
WLLogFile /$Home/apache2/logs/web1.log
ConnectRetrySecs 2
Idempotent ON
FileCaching ON
WLProxySSL OFF
SecureProxy OFF
Debug OFF
Close tag of Location

ServerAdmin sarangapani.matoori@gmail.com
ServerName 4.192.50.25 (we can use dns name , if we don't have it then we can use the ip)

Step6:copy the mod_wl_22.so module file from $Home/wl923/bea/weblogic92/server/plugin/solaris/sparc to $Home/apache2/modules
cp $Home/wl923/bea/weblogic92/server/plugin/solaris/sparc/mod_wl_22.so $Home/apache2/modules/
Step7:check the status of apche configuaration is ok
cd $Home/apache2/bin
apachectl -t
Step8: Now the starting your newly installed Apache webserver
apchectl -k start or httpd -k start

Step9: Access the application with the apache port
http://hostip:port(which%20is%20kept%20in%20httpd.conf/ file)/ProjectName/jsp/Logon.jsp
Step10: Stop the Apache
apchectl -k stop or httpd -k stop


Good Reference for creating your WL domain: 
Dynamic WebLogic Domain configuration